Questions:

What MFA options are available for me to use?

What MFA option should I use?

What are the differences between the MFA options that are available?

Answer: 

Green Tick = Advantage

Red X = Drawback

Question Mark = Potential Limitation

Okta Verify (Recommended Option)

Okta verify is an app installed to a smartphone, which Okta uses in combination with push notifications to generate MFA requests. In addition to push notifications, Okta Verify supports offline notification using TOTP (in the same way as Google Auth).

  • (tick) MFA uses data network (no phone network required)
  • (tick) Supports offline use using TOTP codes
  • (tick) Can be installed on multiple mobile devices
  • (tick) Does not rely on a specific browser or capabilities to work
  • (tick) Good resistance to phishing attacks
  • (error) Requires a mobile device.
  • (error) Each device must be registered separately

Google Authenticator/TOTP (Recommended Option)

TOTP MFA implements uses 6-digit number as an MFA validation. The number can only be used once, and does not require the device providing TOTP to be online. It requires an app to be installed on a trusted device, but the app can be any application that supports Google Authenticator.

  • (tick) MFA does not use any network (device containing google auth can be offline)
  • (tick) Supports offline use
  • (tick) Can be installed on multiple devices
  • (tick) Does not rely on specific browser capabilities to work
  • (tick) Good resistance to phishing attacks
  • (question) Depending on the app, automatically syncs to multiple devices
  • (error) Requires a TOTP app

Voice or SMS

Okta uses voice calls or SMS messages to relay a unique 5 or 6 digit numbers. You then re-play the number to Okta to as a second factor. This option requires nothing more than a working phone network. However, it relies on the security of the phone system to provide assurance.

  • (tick) Does not require an app on a mobile device
  • (tick) Does not rely on specific browser capabilities to work
  • (error) Poor resistance to Phishing attacks
  • (error) Vulnerable to SIM swapping attacks.
  • (error) Requires reliable phone network.
  • (error) Requires device to be online during authentication

FIDO2 hardware Token - webauthn

Due to the unpredictable behavior of FIDO2 (webauthn), WSU does not recommend FIDO2 authenticators as a general option for MFA.

Fido2 tokens use cryptographic mechanisms to provide MFA. These methods provide a very high level of assurance that the MFA is valid. FIDO2 implementations are unreliable in common use. FIDO2 tokens rely on the browser to correctly route requests to hardware tokens and support for these extensions are not universal. In particular, FIDO2 is not useable to support "embedded browsers", such as those used to log in to Office365 from applications such as Outlook.

  • (tick) MFA does not use any network.
  • (tick) Very good Phishing resistance
  • (tick) Does not require second device to be online during authentication
  • (error) Support for FIDO2 is not universal over all browsers and apps
  • (error) Requires purchase of physical device
  • (error) All devices must be registered twice (login.wsu.edu and wsu.okta.com must be registered separately)

TOTP hardware Token

TOTP hardware tokens use a 6 digit code to MFA. The code is generated by a hardware token, similar to FIDO2 tokens.

  • (tick) MFA does not use any network
  • (tick) Good Phishing Resistance
  • (error) Requires hardware token
  • (error) Must be pre-registered by WSU IT (Helpdesk)
  • (error) Limited lifespan of device

FIDO2 Biometric MFA (Touch-ID, Face-ID, etc) - webauthn

Due to the unpredictable behavior of FIDO2 (webauthn), WSU does not recommend FIDO2 authenticators as a general option for MFA.

FIDO2 Biometric MFA uses a devices built-in authentication (such as touch-id or windows hello face recognition) to provide MFA. Because these biometric authentications use the same FIDO2 authentication model, they have the same restrctions as FIDO2 tokens, with additional restrictions.

  • (tick) MFA does not use any network
  • (tick) Very good Phishing resistance
  • (tick) Does not require second device to be online during authentication
  • (tick) Does not require separate purchase
  • (error) Support for FIDO2 is not universal overall browsers and apps
  • (error) Each browser on a device must be registered separately for each domain (login.wsu.edu and wsu.okta.com)

Related Articles:

https://www.okta.com/blog/2022/10/the-need-for-phishing-resistant-multi-factor-authentication/

https://help.okta.com/oie/en-us/content/topics/security/mfa/webauthn-compatibility.htm

https://support.okta.com/help/s/article/To-register-FIDO2-WebAuthN-Keys-under-both-URLs-Custom-Domain-and-Okta-Org-URL?language=en_US

How to Set Up Your Security Methods